WELCOME TO: 
MODULE 7 


NETWORKING, SERVICES 
AND SYSTEM UPDATES 


Internet Access to VM 


e Open Virtualbox Manager 

e Select the machine you cannot get internet on in the left pane 

e Click the Settings button in the top menu 

e Click Network in the left pane in the settings window 

e Switched to Bridged Adaptor in the Attached to drop-down menu 
e Hit OK to save your changes 

¢ Start your VM 
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Network Components 


e IP 

e Subnet mask 

e Gateway 

e Static vs. DHCP 


e Interface 
s Interface MAC. 
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Network Files and Commands 


Interface Detection 


Assigning an IP address 


Interface configuration files 


/etc/nsswitch.conf 

/etc/hostname 

/etc/sysconfig/network 
/etc/sysconfig/network-scripts/ifcfg-nic 
/etc/resolv.conf 


Network Commands 


ping 

ifconfig 

ifup or ifdown 
netstat 
tcpdump 
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= NICInformation =» 
NIC = Network Interface Card 


Example: 
ethtool enp0s3 


Other NICs 
lo = The loopback device is a special interface that your computer uses to communicate 


with itself. It is used mainly for diagnostics and troubleshooting, and to connect to servers 
running on the local machine 


virb0 = The virbr0, or "Virtual Bridge 0" interface is used for NAT (Network Address 
Translation). Virtual environments sometimes use it to connect to the outside network 
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NIC Bonding 


NIC = Network Interface Card (PC or laptop) | I 3 : 


NIC(Network Interface Card) bonding is 2G 
also known as Network bonding. It can 
be defined as the aggregation or 
combination of multiple NIC into a 
single bond interface. 


Redundancy High Availability 
It's main purpose is to provide high Link Aggregation 


availability and redundancy 
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NIC Bonding Procedure 


e modprobe bonding 

e modinfo bonding 

e Create /etc/sysconfig/network-scripts/ifcfg-bond0 
e Edit /etc/sysconfig/network-scripts/ethernetl 

e Edit /etc/sysconfig/network-scripts/ethernet2 


aa op 


nica) bond0 


e Restart network = systemctl restart network 
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New Network Utilities 


What we will learn in this lecture... 


e Getting started with NetworkManager 


e Network configuration methods 
e nmtui 
e nmcli 
e nm-connection-editor 
e GNOME Settings. 
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New Network Utilities 


vV Getting started with NetworkManager 


NetworkManager is a service that provides set of tools designed specifically to make it easier to 
manage the networking configuration on Linux systems and is the default network management 
service on RHEL 8 

It makes network management easier 

It provides easy setup of connection to the user 

NetworkManager offers management through different tools such as GUI, nmtui, and 
nmcli. 
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New Network Utilities 


v Network configuration methods 


e  nmcli — Short for network manager command line interface. This tool is useful when access to a 
graphical environment is not available and can also be used within scripts to make network 
configuration changes 

e nmtui — Short for network manager text user interface. This tool can be run within any terminal 
window and allows changes to be made by making menu selections and entering data 

e  nm-connection-editor - A full graphical management tool providing access to most of the 
NetworkManager configuration options. It can only be accessed through the desktop or console 

e GNOME Settings - The network screen of the GNOME desktop settings application allows basic 
network management tasks to be performed 


e Lets practice in our Linux machine... 
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Manage Linux Networking 


v Using nmcli to configure static IP 


e # nmcli device (Get the listing of network interface) 


e # nmcli connection modify enp0s3 ipv4. 
LO. ZS 331 2117.204 


e # nmcli connection modify enp0s3 ipv4. 
10.253.1.1 


e # nmcli connection modify enp0s3 ipv4. 
manual 


e # nmcli connection modify enp0s3 ipv4. 
8.8.8.8 
connection up enp0s3 


e # ip address show enp0s3 


addresses 


gateway 


method 


dns 


# nmcli connection down enp0s3 && nmcli 
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Manage Linux Networking 


v Adding secondary static IP using nmcli 


e # nmcli device status 
e # nmcli connection show -active 
e # ifconfig 


e # nmcli connection modify enp0s3 +ipv4.addresses 
10.0.0.211/24 


e # nmcli connection reload 
e # systemctl reboot 


e # ip address show 
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System Updates and Repos 


e yum (CentOS), apt-get (other Linux) 
“rpm (Redhat Package Manager) 
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° Installing packages 


¢ Upgrading 
e Deleting 
e View package details information 


e Identify source or location 
information 


e Packages configuration files 
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e Example of Windows browser — 


wetnr oz 


. Google 
e Linux = wget | 2 


e Example in Linux: 
wget http: //website.com/filename m 


e Why??? 
Most of the servers in corporate 
environment do NOT have internet access 
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e Example of Windows browser =— == 


B3 KO 5 


e Linux = curl 
e Linux = ping 


Google 


e Example in Linux: 
curl http://website.com/filename 
curl -O http://website.com/filename 


ping www.google.com 
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FTP — File Transfer Protocol 


e The File Transfer Protocol is a standard network protocol used for the transfer of 
computer files between a client and server on a computer network. FTP is built 
on a client-server model architecture using separate control and data 
connections between the client and the server. (Wikipedia) 


e Protocol = Set of rules used by computers to communicate 
e Default FTP Port = 21 
e For this lecture we need 2 Linux machines 


e Client = MyFirstLinuxVM 
e Server = LinuxCentOS7 
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FTP — File Transfer Protocol 


Client =A Server = B 
0 ee se | J 
ftpd = 21 


By: Imran Afzal 
www.utclisolutions.com 


FTP — File Transfer Protocol 


" Install and Configure FTP on the remote server 
# Become root 
e # rpm -qa | grep ftp 
es # ping www.google.com 
e # yum install vsftpd 
e # vi /etc/vsftpd/vsftpd.conf (make a copy first) 


e Find the following lines and make the changes as shown below: 
e ## Disable anonymous login ## 
e anonymous enable-NO 


¢ ## Uncomment ## 
e ascii upload enable-YES 
° ascii_download_enable=YES 


¢ ## Uncomment - Enter your Welcome message - This is optional ## 
e ftpd banner-Welcome to UNIXMEN FTP service. 


¢ ## Add at the end of this file ## 
e use localtime-YES 


systemctl start vsftpd 
systemctl enable vsftpd 
systemctl stop firewalld 
systemctl disable firewalld 


useradd iafzal (if the user does not exist). By: Imran Afzal 
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e 
Se It If It IE 


FTP — File Transfer Protocol 


e Install FTP client on the client server 
e # Become root 
e # yum install ftp 
e # su — iafzal 
e $ touch kruger 


e Commands to transfer file to the FTP server: 
e ftp 192,168.13. 

e Enter username and password 

e Du 

e hash 

e put kruger 

e bye. 
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SCP — Secure Copy Protocol 


e The Secure Copy Protocol or “SCP” helps to transfer computer files securely 
from a local to a remote host. It is somewhat similar to the File Transfer Protocol 
“FIP”, but it adds security and authentication 


e Protocol = Set of rules used by computers to communicate 


Default SCP Port = 22 (same as SSH) 


e For this lecture we need 2 Linux machines 
e Client = MyFirstLinuxVM 
e Server = LinuxCentOS7 


By: Imran Afzal 
www.utclisolutions.com 


SCP — Secure Copy 
| 


Client = > Server =B 
sshd = 22 
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SCP — Secure Copy 


e SCP commands to transfer file to the remote server: 


e Login as yourself (iafzal) 

e touch jack 

e scp jack iafzal@192.168.1.x:/home/iafzal 
e Enter username and password 
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rsync — Remote Synchronization 


rsync is a utility for efficiently transferring and synchronizing files within the 
same computer or to a remote computer by comparing the modification times 
and sizes of files 


rsync is a lot faster than ftp or scp 


This utility is mostly used to backup the files and directories from one server to 
another 


Default rsync Port = 22 (same as SSH) 
For this lecture we need 2 Linux machines 


e Client = MyFirstLinuxVM 
e Server = LinuxCentOS7 
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rsync — Remote Synchronization 
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rsync — Remote Synchronization 


Basic syntax of rsync command 
e # rsync options source destination 


Install rsyne in your Linux machine (check if it already exists) 
e # yum install rsync (On CentOS/Redhat based systems) 
e # apt-get install rsync (On Ubuntu/Debian based systems) 


rsync a file on a local machine 
e $ tar cvf backup.tar . (tar the entire home directory (/home/iafzal) 
e $ mkdir /tmp/backups 
e $ rsync -zvh backup.tar /tmp/backups/ 


rsync a directory on a local machine 
e $ rsync -azvh /home/iafzal /tmp/backups/ 


rsync a file to a remote machine 
e $ mkdir /tmp/backups (create /tmp/backups dir on remote server) 
e $ rsync -avz backup.tar iafzal@192.168.1.x:/tmp/backups 


rsync a file from a remote machine 
e $ touch serverfile 


revynce 


e $ rsync -avzh iafzal@192.168.1.x:/home/iafzal/serverfile /tmp/backups By: Imran Afzal 
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System Upgrade/Patch Management 


e Two type of upgrades 
Major version = 5, 6, 7 
Minor version = 7.3 to 7.4 


Major version = yamana 
Minor version = yum update 


Example: 
yum update -y 


yum update vs. upgrade 


upgrade = delete Ppiifees 


update = preserve . 
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e What is local repository? 


Redhat or CentOS 
repository 


e Command 
createrepo 
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¢ Telnet = Un-secured connection between computers 


e SSH = Secured 
e Two type of packages for most of the services 


e Client package 
e Server package 


Client 


ADS j 


—Server—— 
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SSH without a Password 


e SSH is a secure way to login from host A to host B 


e Repetitive tasks require login without a password 


What we will learn... 

e How to generate SSH keys on the server 
e Add SSH keys to the client 

e Verify by logging through SSH. 
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DNS - Domain Name System 


e Purpose? 


Hostname to IP (A Record) 

IP to Hostname (PTR Record) 

Hostname to Hostname (CNAME Record) 
e Files 


/etc/named.conf 


/var/named 


e Service 


systemctl restart named 
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Create a snapshot of your virtual machine 


Setup: 
e Master DNS 
e Secondary or Slave DNS 
e Client 


lab.local 
My local IP address on enp0s3 


Domain Name 
IP address 


Install DNS package 


e yum install bind bind-utils -y 


Configure DNS (Summary) 
e Modify /etc/named.conf 
e Create two zone files (forward.lab and reverse.lab) 
e Modify DNS file permissions and start the service 


Revert back to snapshot 
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HOSTNAME/ IP LOOKUP 


e Commands used for DNS lookup 
e nslookup 


e dig 
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NTP 


e Purpose? 


Time synchronization 


e File 
/etc/ntp.conf 


e Service 


systemctl restart ntpd 


e Command 


ntpg 
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e Purpose? = Time synchronization 

e Package name = chronyd 

e Configuration file = /etc/chronyd.conf 

e Log file = /var/log/chrony 

e Service = systemctl start/restart chronyd 


s Program command = chronyd. 
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The timedatectl command is a new utility for RHEL/CentOS 7/8 based distributions, which comes as a 
part of the systemd system and service manager 


Itis a replacement for old traditional date command 
The timedatectl command shows/ change date, time, and timezone 


It synchronizes the time with NTP server as well 
e You can either use chronyd or ntpd and make the ntp setting in timedatectl as yes 


e Or you can use systemd-timesyncd daemon to synchronize time which is a replacement for ntpd and 
chronyd 


Please note: 
Redhat/ CentOS does not provide this daemon in its standard repo. You will have to download it separately. 
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Lab exercise: 


To check time status 
e timedatectl 


To view all available time zones 


e timedatectl list-timezones 


To set the time zone 


e timedatectl set-timezone “America/New York“ 


To set date 
e timedatectl set-time YYYY-MM-DD 


To set date and time 
* timedatectl set-time '2015-11-20 16:14:50’ 


To start automatic time synchronization with a remote NTP server 
e timedatectl set-ntp true. 
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Purpose? 


Send and receive emails 


Files 
/etc/mail/sendmail.mc 
/etc/mail/sendmail.cf 
/etc/mail 


Service 


systemctl restart sendmail 


Command 


mail -s “subject line” email@mydomain.com 
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e Sendmail is a program in Linux operating systems that allows 
systems administrator to send email from the Linux system 


e It uses SMTP (Simple Mail Transfer Protocol) 
e SMTP port = 25 


e It attempts to deliver the mail to the intended recipient immediately 
and, if the recipient is not present, it queues messages for later 
delivery. 
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e Sendmail installation and configuration 


# 


+e HH HE HH H 


su — (Login as root) 


rpm -qa | grep sendmail (verify if it is already installed) 
yum install sendmail sendmail-cf 


vi /etc/mail/sendmail.mc 


systemctl 
systemctl 
systemctl 
systemctl 


start sendmail 
enable sendmail 
stop firewalld 
disable firewalld 
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e Purpose = Serve webpages 


Sign Up 
Connect with friends and the It’s free and always will be. 
world around you on Facebook. 


B See photos and updates from friends in News Feed 


Why do I need to provide my 
1993 H ha 


e Service or Package name = httpd 

e Log Files = /var/log/httpd 

e Files = /etc/httpd/conf/httpd.conf 8 / /log/httpd/ 
= /var/www/html/index.html 


e Service 
systemctl restart httpd 
systemctl enable httpd 
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Purpose - Generate logs or collect logs from other servers 
Service or package name = rsyslog 

Configuration file- /etc/syslog.conf 

Service 


systemctl restart rsyslog 


systemctl enable rsyslog 
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e Purpose = Share files or directories <P 
(filesystem) en 
e Service or package name = nfs-utils 


e Configuration file = 


/etc/fstab, /etc/exports, 
/etc/sysconfig/nfs A 


e Service 
e 
systemctl restart nfs-server T 
systemctl enable nfs-server Gaon 
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e User Account 


e Remove un-wanted packages 

° Stop un-used Services 

e Check on Listening Ports 

e Secure SSH Configuration 

e Enable Firewall (iptables /firewalld) 

e Enable SELinux 

e Change Listening Services Port Numbers 


e Keep your OS up to date (security patching) 
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e What is OpenLDAP? 
e OpenLDAP Service 


e slapd 


e Start or stop the service 
e systemctl start slapd 
e systemctl enable slapd 


e Configuration Files 
e /etc/openldap/slapd.d 


By: Imran Afzal 
www.utclisolutions.com 


Trace Network Traffic (traceroute) 


e The traceroute command is used in Linux to map the journey that a packet 
of information undertakes from its source to its destination. One use for 
traceroute is to locate when data loss occurs throughout a network, which 
could signify a node that's down. 


e Because each hop in the record reflects a new server or router between 
the originating PC and the intended target, reviewing the results of a 
traceroute scan also lets you identify slow points that may adversely affect 
your network traffic. 


e Example 
# traceroute www.google.com 
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Configure and Secure SSH 


e SSH 


e SSH stands for secure shell 


| provides you with an interface to the Linux system. It takes in 
your commands and translate them to kernel to manage hardware 


Hardware 


e Open SSH is a package/software 
e Its service daemon is sshd 


e SSH port # 22 


Utilities 
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Configure and Secure SSH 


SSH itself is secure, meaning communication through SSH is always encrypted, but there 
should be some additional configuration can be done to make it more secure 
Following are the most common configuration an administrator should take to secure SSH 


Y Configure Idle Timeout Interval 


Avoid having an unattended SSH session, you can set an Idle timeout interval 


= Become root 


= Edit your /etc/ssh/sshd config file and add the following line: 
= ClientAliveInterval 600 

= ClientAliveCountMax 0 

= # systemctl restart sshd 


The idle timeout interval you are setting is in seconds (600 secs = 10 minutes). Once the interval 
has passed, the idle user will be automatically logged out 
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Configure and Secure SSH 


v Disable root login 


Disabling root login should be one of the measures you should take when setting up 
the system for the first time. It disable any user to login to the system with root 


account 


= Become root 


=" Edit your /etc/ssh/sshd config file and replace PermitRootLogin yes to no 
"= PermitRootLogin no 
= # systemctl restart sshd 


By: Imran Afzal 
www.utclisolutions.com 


Configure and Secure SSH 


VY Disable Empty Passwords 


You need to prevent remote logins from accounts with empty passwords for 


added security. 


= Become root 


=" Edit your /etc/ssh/sshd config file and remove # from the following line 
"= PermitEmptyPasswords no 
= # systemctl restart sshd 
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Configure and Secure SSH 


V Limit Users’ SSH Access 


To provide another layer of security, you should limit your SSH logins to only certain 
users who need remote access 


= Become root 


= Edit your /etc/ssh/sshd_config file and add 
= AllowUsers userl user2 
= # systemctl restart sshd 
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Configure and Secure SSH 


v Use a different port 


By default SSH port runs on 22. Most hackers looking for any open SSH servers will 
look for port 22 and changing can make the system much more secure 


= Become root 
= Edit your /etc/ssh/sshd config file and remove # from the following line and 
change the port number 


= Port 22 
= # systemctl restart sshd 
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Configure and Secure SSH 


Vv SSH-Keys - Access Remote Server without Password 


Watch the next video 
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Configure and Secure SSH 
Access Remote Server without Password (SSH-Keys) 


Two reasons to access a remote machine 
e Repetitive logins 
e Automation through scripts 


Keys are generated at user level 
e tafzal 


e° root 
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Configure and Secure SSH 


Access Remote Server without Password (SSH-Keys) 
Client - MyFirstLinuxVM 


O —— SSH 


eT 4 
«(ES 


Generate Keys Copy over a Keys from 
client to server 


Client = MyFirstLinuxVM SSH 
Step 1 — Generate the Key 


# ssh-keygen 


Step 2 — Copy the Key to the server 
# ssh-copy-id root@192.168.1.x 


Step 3 — Login from client to server PN 
# ssh root@192.168.1.x 
# ssh -1 root 192.168.1.x R 
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Access Remote Server without Password (SSH-Keys) 


e Two reasons to access a remote machine 
e Repetitive logins 
e Automation through scripts 


e Keys are generated at user level 
e jatfzal 
e root 
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Access Remote Server without Password (SSH-Keys) 


Client = > an Server = LinuxCentOS7 
— 5 e 
E T A 
pa OU 
Generate Keys Copy over SS Keys from 


client to server 


SSH 


Client = MyFirstLinuxVM 
Step 1 — Generate the Key 
# ssh-keygen 


Step 2 — Copy the Key to the server 
# ssh-copy-id root@192.168.1.x 


Step 3 — Login from client to server 
# ssh root@192.168.1.x 
# ssh -1 root 192.168.1.x 
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Cockpit 


Cockpit is a server administration tool sponsored by Red Hat, focused on providing a 
modern-looking and user-friendly interface to manage and administer servers 


Cockpit is the easy-to-use, integrated, glanceable, and open web-based interface for your 
servers 


The application is available in most of the Linux distributions such as, CentOS, Redhat, 
Ubuntu and Fedora 


It is installed in Redhat 8 by default and it is optional in version 7 
It can monitor system resources, add or remove accounts, monitor system usage, shut 


down the system and perform guite a few other tasks all through a very accessible web 
connection 
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Install, Configure and Manage Cockpit 


e Check for network connectivity 
* ping www.google.com 


e Install cockpit package as root 
e yum/dnf install cockpit -y (For RH or CentOS) 
e apt-get install cockpit (For Ubuntu) 


e Start and enable the service 
e systemctl start|enable cockpit 


e Check the status of the service 
e systemctl status cockpit 


e Access the web-interface 
e https://192.168.1.x:9090 
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What is Firewall 


Introduction to Firewall 


A wall that prevents the spread of fire Fera 


Firewall 


When data moves in and out of a server its packet information is tested against the 
firewall rules to see if it should be allowed or not 


In simple words, a firewall is like a watchman, a bouncer, or a shield that has a set 
of rules given and based on that rule they decide who can enter and leave 


There are 2 type of firewalls in IT 
oftware = Runs on operating system 


e Hardware = A dedicated appliance with firewall software 
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Introduction to Firewall 


Firewall 


= B 


© 


rule = A is allowed for 22 


PEEN 
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Firewall (iptables - tables, chains and targets) 


e There are 2 tools to manage firewall in most of the Linux distributions 
e iptables = For older Linux versions but still widely used = 
e firewalld = For newer versions like 7 and up iana 


Firewall 


e You can run one or the other 
e In this lecture we will work with iptables to manage firewall 


e Before working with iptables make sure firewalld is not running and disable it 


e service OR systemctl stop firewalld = To stop the service 
e systemctl disable firewalld = To prevent from starting at boot time 
e systemctl mask firewalld = To prevent it from running by other programs 


e Now check if you have iptables-services package installed 
e rpm -qa | grep iptables-services 
e yum install iptables-services - /fnot installed then 


e Start the service 
e systemctl start iptables 
e systemctl enable iptables 


e To check the iptables rules 
e iptables -L 


e To flush iptables. 
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Firewall (iptables - tables, chains and targets) 


e The function of iptables tool is packet filtering = mia FPN 
e The packet filtering mechanism is organized into three different kinds of structures: tables, chains ii 3 
and targets = 


1. tables = table is something that allows you to process packets in specific ways. There 
are 4 different types of tables, filter, mangle, nat and raw 


2. chains = The chains are attached to tables, These chains allow you to inspect traffic at 
various points. There are 3 main chains used in iptables 
= INPUT = incoming traffic 
= FORWARD = going to a router, from one device to another 
= OUTPUT = outgoing traffic 
e chains allow you to filter traffic by adding rules to them 
e Rule = if traffic is coming from 192.168.1.35 then go to defined target 


3. targets = target decides the fate of a packet, such as allowing or rejecting it. There are 3 
different type of targets 
= ACCEPT = connection accepted 
= REJECT = Send reject response 
= DROP = drop connection without sending any response 
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Firewall (iptables - tables, chains and targets) 


Let's draw it out: 


m 


If IP, port etc. matches 


Rule 


ACCEPT/DROP/REJECT 


FORWARD Rule ACCEPT/DROP/REJECT 


OUTPUT Rule ACCEPT/DROP/REJECT 


chains 


To check the iptables rules 
e iptables -L 
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Firewall (iptables - tables, chains and targets) 


Output of iptables -L Types of chain m: 


Firewall 


Iroot@MyFirstLinuxVM—J# iptables -L pang ! 


Chain| INPUT | (policy ACCEPT PEN 
target | ppt] source chain 


Chain FORWARD | (policy ACCEP 


target prot opt source destination 

Chain OUTPUT (policy ACCEPT) 

target prot opt source destination The destination IP address or subnet of the 
traffic, or anywhere 


[root@MyFirstLinuxvM ~]#\ 


The source IP address or subnet of the traffic, or anywhere 


Rarely used, this column indicates IP options 


Target The protocol, such as tcp, udp, icmp, or all 
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Firewall (iptables - practical examples) 


e Drop all traffic coming from a specific IP (192.168.0.25) . 
e iptables -A INPUT -s 192.168.0.25 -j DROP ii i one 


e Drop all traffic coming from a range of IPs (192.168.0.0) 
e iptables -A INPUT -s 192.168.0.0/24 -j DROP 


e List all rules in a table by line numbers 
e iptables -L --line-numbers 


e Delete a specific rule by line number 
e iptables -D INPUT 1 


e To flush the entire chain 
e iptables -F 


e To block a specific protocol with rejection (e.g. ICMP) 
e iptables -A INPUT -p icmp -j REJECT 


e To block a specific protocol without rejection (e.g. ICMP) 
e iptables -A INPUT -p icmp -j DROP 


e To block a specific port # (e.g. http port 80) 
e iptables -A INPUT -p tcp --dport 80 -j DROP 
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Linux Firewall (iptables - practical examples) 


Practical: 


Block connection to a network interface 
e iptables -A INPUT -i enps03 -s 192.168.0.25 -j DROP 


Drop all traffic going to www.facebook.com 
e host -t a www.facebook.com = find IP address 
e iptables -A OUTPUT -d 31.13.71.36 -j DROP 


Block all outgoing traffic to a network range 
e iptables -A OUTPUT -d 31.13.71.0/24 -j DROP 


Block all incoming traffic except SSH 
e iptables -A INPUT -p tcp --dport 22 -j ACCEPT 
* iptables -P INPUT DROP 


After making all the changes save the iptables. Again make sure firewalld is not running 
e iptables-save = The file is save in /etc/sysconfig/iptables 


iptables saved file can also be restored 
e iptables-restore /LOCATION/FILENAME 


By default everything is logged in 
e /var/log/messages 


IMPORTANT: The iptables read the rules in 


sequence 
e DROP first then it will drop all 
without going to the next one 
e So make sure to ACCEPT first with -I 
option instead of -A 
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Firewall (firewalld) 


e Firewalld works the same way as iptables but of course it has it own commands 
e firewall-cmd 


e It has a few pre-defined service rules that are very easy to turn on and off 
e Services such as: NFS, NTP, HTTPD etc. 


e Firewalld also has the following: 


e Table 
e Chains 
e Rules 


e Targets 
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Firewall (firewalld) 


e Youcanrun one or the other 
e iptables or firewalld 


e Make sure iptables is stopped, disabled and mask 
e systemctl stop iptables 
e systemctl disable iptables 
e systemctl mask iptables 


e Now check if filewalld package is installed 
e rpm -qa | grep firewalld 


e Start firewalld 
e systemctl start/enable firewalld 


e Check the rule of firewalld 
e firewall-cmd --list-all 


e Get the listing of all services firewalld is aware of: 
e firewall-cmd --get-services 


e To make firewalld re-read the configuration added 
e firewall-cmd --reload 
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Firewall (firewalld - Practical Examples) 


e The firewalld has multiple zone, to get a list of all zones 
e firewall-cmd --get-zones 


e To geta list of active zones 
e firewall-cmd --get-active-zones 


e To get firewall rules for public zone 


e firewall-cmd --zone=public --list-all 
OR 
e firewall-cmd --list-all 


e All services are pre-defined by firewalld. What if you want to add a 3 party service 
e /usr/lib/firewalld/services/allservices.xml 
e Simply cp any .xml file and change the service and port number 


[root@MyFirstLinuxVM services]# cat test.xml 
<?xml version="1.0" encoding="utf-8"2?> Version of XML 
<service> 
ervice 
<short>SSH</short> | Service | 


Service 
<description>To login</description> 


<port protocol="tcp" port="22"/> 


</service> 
[root@MyFirstLinuxVM services] 4 
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Firewall (firewalld - Practical Examples) 


e To add a service (http) 
e firewall-cmd --add-service=http 


e To remove a service 
e firewall-cmd --remove-service=http 


e To reload the firewalld configuration 
e firewall-cmd --reload 


e To add or remove a service permanently 
e firewall-cmd --add-service=http --permanent 
e firewall-cmd --remove-service=http --permanent 


e To add a service that is not pre-defined by firewalld 
e /usr/lib/firewalld/services/allservices.xml 
e Simply cp any .xml file sap.xml and change the service and port number (32) 
e systemctl restart firewalld 
e firewall-cmd --get-services (to verify new service) 
e Firewall-cmd --add-service=sap 
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Firewall (firewalld - Practical Examples) 


Toadd aport 
e firewall-cmd --add-port-1110/tcp 


To remove a port 
e firewall-cmd --remove-port=1110/tcp 


To reject incoming traffic from an IP address 
e firewall-cmd --add-rich-rule='rule family="ipv4" source address=“192.168.0.25" reject’ 


To block and unblock ICMP incoming traffic 
e firewall-cmd --add-icmp-block-inversion 
e firewall-cmd --remove-icmp-block-inversion 


To block outgoing traffic to a specific website/IP address 
e host -t a www.facebook.com = find IP address 
e firewall-cmd --direct --add-rule ipv4 filter OUTPUT 0 -d 31.13.71.36 -j DROP 
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Tune System Performance 


Linux system comes fined tunned by default when you install, however there are a few tweaks 
that can be done based on system performance and application reguirements 


In this lesson we will learn... 
e Optimize system performance by selecting a tuning profile managed by the tuned daemon 
e Prioritize or de-prioritize specific processes with the nice and renice commands 
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Tune System Performance 


What is tuned? 


e ‘Tuned pronounced as tune-d 

* Tune is for system tuning and d is for daemon 

e [tis systemd service that is used to tune Linux system performance 

e It is installed in CentOS/Redhat version 7 and 8 by default 

* tuned package name is tuned 

e The tuned service comes with pre-defined profiles and settings (List of profile will be discussed in the next page) 

e Based on selected profile the tuned service automictically adjust system to get the best 
performance. E.g. tuned will adjust networking if you are downloading a large file or it will adjust 
IO settings if it detects high storage read/write 

e The tuned daemon applies system settings when the service starts or upon selection of a new 
tuning profile. 
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Tune System Performance 


Tuned profile 


balanced 

desktop 
Throughput-performance 
Latency-performance 


network-latency 
Network-throughput 


powersave 
oracle 
virtual-guest 


virtual-host 


deal for systems that require a compromise between power saving and performance 
Derived from the balanced profile. Provides faster response of interactive applications 
Tunes the system for maximum throughput 

Ideal for server systems that require low latency at the expense of power consumption 


Derived from the latency-performance profile. It enables additional network tuning 
parameters to provide low network latency 


Derived from the throughput-performance profile. Additional network tuning parameters are 
applied for maximum network throughput 


Tunes the system for maximum power saving 
Optimized for Oracle database loads based on the throughput-performance profile 
Tunes the system for maximum performance if it runs on a virtual machine 


Tunes the system for maximum performance if it acts as a host for virtual machines 
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Tune System Performance 


Check if tuned package has been installed 
rpm -qa | grep tuned 


Install tuned package if NOT installed already 


yum install tuned 


Check tuned service status 
systemctl status|enable|start tuned 


systemctl enable tuned (Io enable at boot time) 


Command to change setting for tuned daemon 
tuned-adm 


To check which profile is active 
tuned-adm active 


To list available profiles 
tuned-adm list. 
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Tune System Performance 


To change to desired profile 


tuned-adm profile profile-name 


Check for tuned recommendation 
tuned-adm recommend 


Turn off tuned setting daemon 
tuned-adm off 


Change profile through web console 
Login to https://192.168.1.x:9090 
Overview > Configuration > Performance profile 
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Tune System Performance 


Another way of keeping your system fine-tuned is by prioritizing processes through 
nice and renice command 

If a server has 1 CPU then it can execute 1 computation/process at a time as they come 
in (first come first served) while other processes must wait 

With nice and renice commands we can make the system to give preference to certain 
processes than others 

This priority can be set at 40 different levels 

The nice level values range from -20 (highest priority) to 19 (lowest priority) and by 
default, processes inherit their nice level from their parent, which is usually 0. 
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Tune System Performance 


e ‘To check process priority 


top 
Higher Priority Lower Priority 
-20-1 
Nice Level 20-19 eee O . 18 19 
RT -99 -3 - 1 
top [PR] > we 3 -2 0 20 38 39 


Nice value is a uset-space and priority PR is the process's actual priority that use by Linux kernel. In 
Linux system priorities are 0 to 139 in which 0 to 99 for real time and 100 to 139 for users 


e Process priority can be viewed through ps command as well with the right options 
$ ps axo pid,comm,nice,cls --sort--nice 
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Tune System Performance 


e ‘To set the process priority 
nice -n # process-name 
e.g. nice -n -15 top 


e ‘To change the process priority 
renice -n # process-name 
e.g. renice —n 12 PID. 
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Run Containers 


e The term container and the concept came from the shipping container 


These containers are shipped from city to city and country to country 


No matter which part of the world you go to, you will find these 
containers with the exact same measurements... YOU KNOW WHY??? 
Because around the world all docks, trucks, ships and warehouses are built 
to easily transport and store them 


ena, 


NM 
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Run Containers 


Now when we are talking about containers in IT we are fulfilling somewhat similar purpose 


Application 
Production Server 


In old days... 


Application feos 
EA ST — 
ee os 
Developer 
Dm! 


e Then came the container technology which allowed developers or programmer to test and build 
applications on any computer just by putting it in a container (bundled in with the software code, libraries and 
configuration files) and then run on another computer regardless of its architecture 

e You can move the application anywhere without moving its OS just like moving the actual physical 
container anywhere that would fit on any dockyard, truck, ship or warehouse 


e An OS can run single or multiple containers at the same time 
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Run Containers 


Now when we are talking about containers in IT we are fulfilling somewhat similar purpose 


container anywhere that would fit on any dockyard, truck, ship or warehouse 


An OS can run single or multiple containers at the same time 
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Run Containers 


Released on: 


Devel by: 
o March 20" 2013 


Solomon Hykes 


docker 


e Docker is the software used to create and 
manage containers 

e Just like any other package, docker can be 
installed on your Linux system and its service 
or daemon can be controlled through native 
Linux service management tool 


Developed by: Released on: 
@& RedHat August 2018 


bodman 


Podman is an alternative to docker 

Docker is not supported in RHEL 8 

It is daemon less, open source, Linux-native tool designed to 
develop, manage, and run containers. 
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Run Containers 
| Getting Familiar with Redhat Container Technology 


Red Hat provides a set of command-line tools that can operate without a container engine, these include: 


podman - for directly managing pods and container images (run, stop, start, ps, attach, etc.) 
buildah - for building, pushing, and signing container images 

skopeo - for copying, inspecting, deleting, and signing images 

runc - for providing container run and build features to podman and buildah 


crun - an optional runtime that can be configured and gives greater flexibility, control, and security for rootless 
containers. 


When you hear about containers then you should know the following terms as well 


images — containers can be created through images and containers can be converted to images 
pods — Group of containers deployed together on the host. In the podman logo there are 3 seals grouped 


together as a pod. pod man 
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Run Containers 


To install podman 
e yum/dnf install podman -y 
e yum install docker -y (For dockers) 


Creating alias to docker 
e alias docker=podman 


Check podman version 
e  podman -v 


Getting help 
e  podman --help or man podman 


Check podman environment and registry/repository information 
e podman info (If you are trying to load a container image, then it will look at the local 
machine and then go through each registry by the order listed) 


To search a specific image in repository. 
e  podman search httpd 
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Run Containers 


To list any previously downloaded podman images 
e  podman images 


To download available images 
e podman pull docker.io/library/httpd 
e  podman images (Check downloaded image status) 


To list podman running containers 
*  podman ps 


To run a downloaded httpd containers 

e podman run -dt -p 8080:80/tcp docker.io/library/httpd 
(d=detach, t=get the tty shell, p=port) 

e podman ps or Check httpd through web browser 


To view podman logs. 
e podman logs -1 
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Run Containers 


To stop a running container 
e podman stop con-name (con-name from podman ps command) 
e podman ps (To list running containers) 


To run a multiple containers of httpd by changing the port # 

e podman run -dt -p 8081:80/tcp docker.io/library/httpd 
e podman run -dt -p 8082:80/tcp docker.io/library/httpd 
e podman ps 


To stop and start a previously running container 
e podman stop|start con-name 


To create a new container from the downloaded image 
e  podman create --name httpd-con docker.io/library/httpd 


To start the newly created container. 
e  podman start httpd-con 
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Run Containers 


Manage containers through systemd 
e First you have to generate a unit file 
e podman generate systemd --new —-files --name httpd-con 


e Copy it systemd directory 
e cp /root/container-httpd.service /etc/systemd/system 


e Enable the service 
e systemctl enable container-httpd-con.service 


e Start the service. 
e systemctl start container-httpd-con.service 
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Kickstart 


e Kickstart is a method to automate the Linux installation without the need for any 


intervention from the user 


e With the help of kickstart you can automate questions that are asked during the 
installation. e.g. 
e Language and time zone 
e How the drives should be partitioned 
e Which packages should be installed etc. 


{E CentOS8 Running] - Oracle VM VirtualBox ecer] 


CENTOS LINUX 8.0.1905 INSTALLATION 
Bus 


‘CENTOS LINUX 8.0.1905 INSTALLATION 
as 


Inited States) 
(United Kingdom) 

English (Ind 

English (Australia) 

English (Canada) 

English (Denmark) 

English (Ireland) 

English (New Zealand) 

English (Nigeria) 

English (Hong Kong SAR China) 


Installation Destination 
Automat purttorng selected 


English (Philippines) 
English (Singapore) 
English (South Africa) 
English (Zambia) 
English (Zimbabwe) 


English (Botswana) 
meta 


We wort touch your disks until you cick Begin installation. 
on ag. er me nan 
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Kickstart 


e Purpose? 


"Ma 


Ca Ca Gli Gl Gi Gis 
Ca Lk Gli Gl Gi Gis 


A Cis Ca Gi Ca Gi Gi 
CW Li Lk Gli Gl Gl Gis 


Cis Lk Gli Cl Gl Gis 
Ca Lk Gli Glad Gla Gis 
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Kickstart 


e To use Kickstart, you must: dn 
1. Choose a Kickstart server and create/edit a Kickstart file 
Make the Kickstart file available on a network location p 


Make the installation source available 
Make boot media available for client which will be used to begin the installation 
Start the Kickstart installation 


A Ol 


Client 


2. 
a 
4. 
5. 


E 
Kickstart 
config 
file 


Kickstart server 
ISO 


Network = NEFS, FTP, HTTP or HTTPS By: Imran Afzal 
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Kickstart 


e CentOS/Redhat 7 "na 
e Kickstart program can be downloaded which allows you to define 
parameters through the GUI pa 


e yum install system-config-kickstart 
e Or you can use the installation kickstart file which was created during the 
first installation (anaconda-ks.cfg) 


e CentOS/Redhat 8 
e There is no GUI available to edit the file 


e Why changed? 
e Most systems are virtual and templates can be used 
e Automation software are in used such as Anisble. 
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1. 


N 


|) 
Kickstart 
e Step by step procedure for Kickstart y 


Identify the server 


Take a snapshot of the server 


Install kickstart configurator (for version 7) 


yum install system-config-kickstart 


Start the kickstart file configurator and define parameters OR use the /root/anaconda-ks.cfg 


system-config-kickstart (To start the configurator) 


e We will use anaconda installation kickstart file and change the hostname only 


Make sure httpd package is installed, if not then install the package and start the httpd service 


rpm -qa | grep http 
yum/dnf install httpd 
systemctl start httpd 
systemctl enable httpd. 
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Kickstart 


D 


e cp /root/anaconda-ks.cfg /var/www/html 
e chmod ałr /var/www/html/anaconda-ks.cfg 
e systemctl stop|disable firewalld 

e Check file through browser on another PC http://192.168.1.x/anaconda-ks.cfg = 


Copy kickstart file to httpd directory and change the permissions y 


7. Create a new VM and attach the CentOS iso image 
8. Change the network adapter to Bridged adapter 


9. Hit Esc 


10.boot: linux ks=http://192.168.1.x/anaconda-ks.cfg 
For NFS > boot: linux inst.ks=nfs:192.168.1.x:/rhel8 


11. Wait and enjoy the automated installation 
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Kickstart 


Kickstart for clients with static IP dn 


boot: linux ks-http://server.example.com/ks.cfg ksdevice-eth0 IP:192.168.1.50 D 
netmask=255.255.255.0 gateway=192.168.1.1 


Where: 

ksdevice = is the network adapter of the client 
IP = IP you are assigning to the client 
netmask = Subnet mask for the client 


gateway = Gateway IP address for the client 
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DHOP stands for Dynamic Host Configuration Protocol 

In order to communicate over the network, a computer needs to have an IP address 

DHCP server is responsible to automatically assign IP addresses to servers, laptops, desktops, 
and other devices on the network 


Wait a second... 
e Right now in our home how IPs are assigned to our devices? 
e Answer D The router or gateway given to you by your ISP provider 
e How IPs are assigned in corporate world? 
e Answer D Dedicated routers run DHCP service to assign IPs on the network 
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DHCP 


Step by steps instructions 
e Pick a server to be your DHCP and take a snapshot 


° Assign a static IP to the DHCP server 


e vi /etc/sysconfig/network/enp0s3 
e Or simply run nmtui command to use GUI based network tool 


Edit Connection 


NetworkManager TUI 


Profile name WMS EAS inl: 


t 
: I 
Please select an option rreka-MenpOs3 (08:00:27:0F:84:12) 
ETHERNET <Show> 
IPv4 CONFIGURATION <Manual> <Hide> 
<Add...> 
4 


Ethernet 


Bridge 
virbro 


<Add> 


calit 1 COnNnNect1c 
Activate a connection 
Set system hostname 


<Ed?t.. o> 


<Delete> 


Addresses Ika baal! <Remove> 
Gateway IEPA DIA EER! 


Quit 


DNS servers anna <Remove> 


Search domains <Add...> 


Routing (No custom routes) <Edit...> 
[ ] Never use this network for default route 
[ ] Ignore automatically obtained routes 
[ ] Ignore automatically obtained DNS parameters 


t 
| 
4 
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DHCP 


Install dhcp server package 
* yum install dhcp (version 7) 
e dnf install dhcp-server (version 8) 


Edit the configuration file with desired parameters 
e vi /etc/dhcp/dhcp.conf 


default-lease-time 604; 
max-lease-time 7200; 


ddns-update-style none; 
authoritative; 


subnet 192.168.15.8 netmask 255.255.255.8 t 
range 192.168.15.58 192.168.15.Z08: 
option routers 192.168.15.1; 
option subnet-mask 255.255.255.8: 
option domain-name-servers 8.8.8.8, 8.8.4.4: 


cp /usr/share/doc/dhcp-x.x.x/dhcpd.conf. example /etc/dhcp/dhcpd.conf 


The DHCP server will reserve the IP 
address for at least 10 minutes 


The DHCP server will reserve the IP 
address for a max of 2 hours 


Defines the subnet range of 256 addresses 
Defines the DHCP range assignment of 150 addresses 
Routers defines the default gateway 


Defines the default subnet mask that will be 
assigned to each host 


Defines the DNS nameservers which will be 
assigned to each host. 
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Start dhcpd service 
e systemctl start dhcpd 
e systemctl enable dhcp 


Disable firewalld or allow dhcp port over firewall 

e systemctl stop firewalld 

. OR 

e firewall-cmd --add-service=dhcp -permanent 
e firewall-cmd -reload 


Switch DHCP service from your router/modem to your new DHCP server 
e Login to your ISP provided router 
e Disable dhcp and enable forwarding to the new dhcp server. 
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